[tor-onions] SSL certificates for hidden services/.onion domains

Ron Risley ronqonions at risley.net
Mon Feb 22 00:22:00 UTC 2016


I know that a select few public SSL certificates have been issued for .onion domains, but I understand that the status of those certs is tenuous.

Has anyone considered implementing a custom certificate service just for .onions? If the Tor Browser shipped with an additional root certificate, that certificate could be used to sign .onion domains. Proof of ownership of .onion domains is relatively easy to ascertain. I haven't looked at the problem in detail, but I believe that a fully-automated process could issue certs for arbitrary .onion domains encrypted with the domain's public key. Only the domain owner would have the private key to decrypt and install the certificate.

torproject.org would have to be willing to ship the Tor Browser with the necessary root certificate, but the root would not need the blessing of the CA/Browser Forum or any other authority figure.

I realize that just having the Tor Browser recognize the certs wouldn't bring all the benefits of SSL to hidden services, but it would be a good start and could be done without involving politically fractious standards bodies outside the Tor community.

Am I late to the party? Has anyone been thinking along these lines?

Peace...

--Ron


More information about the tor-onions mailing list